From owner-freebsd-bugs@FreeBSD.ORG Fri Aug 3 10:40:02 2007 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0E43116A419 for ; Fri, 3 Aug 2007 10:40:02 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id DA50713C469 for ; Fri, 3 Aug 2007 10:40:01 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.1/8.14.1) with ESMTP id l73Ae1Je005762 for ; Fri, 3 Aug 2007 10:40:01 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.1/8.14.1/Submit) id l73Ae1Xm005761; Fri, 3 Aug 2007 10:40:01 GMT (envelope-from gnats) Resent-Date: Fri, 3 Aug 2007 10:40:01 GMT Resent-Message-Id: <200708031040.l73Ae1Xm005761@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Matthijs Kooijman Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6428616A46E for ; Fri, 3 Aug 2007 10:36:09 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21]) by mx1.freebsd.org (Postfix) with ESMTP id 4B7F213C478 for ; Fri, 3 Aug 2007 10:36:09 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (localhost [127.0.0.1]) by www.freebsd.org (8.14.1/8.14.1) with ESMTP id l73Aa8nO047179 for ; Fri, 3 Aug 2007 10:36:08 GMT (envelope-from nobody@www.freebsd.org) Received: (from nobody@localhost) by www.freebsd.org (8.14.1/8.14.1/Submit) id l73Aa8jM047178; Fri, 3 Aug 2007 10:36:08 GMT (envelope-from nobody) Message-Id: <200708031036.l73Aa8jM047178@www.freebsd.org> Date: Fri, 3 Aug 2007 10:36:08 GMT From: Matthijs Kooijman To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-3.0 Cc: Subject: kern/115162: [libpam] [patch] Add check for target user's group list to pam_group X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Aug 2007 10:40:02 -0000 >Number: 115162 >Category: kern >Synopsis: [libpam] [patch] Add check for target user's group list to pam_group >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Fri Aug 03 10:40:01 GMT 2007 >Closed-Date: >Last-Modified: >Originator: Matthijs Kooijman >Release: 6.2-RELEASE >Organization: I.C.T.S.V. Inter-Actief >Environment: FreeBSD zwarejongens.vereniging.utwente.nl 6.2-RELEASE-p4 FreeBSD 6.2-RELEASE-p4 #1: Wed Jul 11 15:19:37 CEST 2007 matthijs@zwarejongens.vereniging.utwente.nl:/usr/obj/usr/src/sys/ZWAREJONGENS_6_2a i386 >Description: The added patch adds a "target" option to the pam_group module. This option makes pam_group do its checks against the target user's group list instead of the applicant's group. This behaviour can be used to limit user logins to a specific group for networked services, where there is no identified applicant yet, such as for ssh logins. >How-To-Repeat: >Fix: Patch attached with submission follows: --- pam_group.c.orig Wed Aug 1 20:43:51 2007 +++ pam_group.c.target Wed Aug 1 21:56:37 2007 @@ -69,10 +69,14 @@ if (pwd->pw_uid != 0 && openpam_get_option(pamh, "root_only")) return (PAM_IGNORE); - /* get applicant */ - if (pam_get_item(pamh, PAM_RUSER, &ruser) != PAM_SUCCESS - || ruser == NULL || (pwd = getpwnam(ruser)) == NULL) - return (PAM_AUTH_ERR); + /* get applicant, unless we should compare with the target account */ + if (!openpam_get_option(pamh, "target")) + if (pam_get_item(pamh, PAM_RUSER, &ruser) != PAM_SUCCESS + || ruser == NULL || (pwd = getpwnam(ruser)) == NULL) + return (PAM_AUTH_ERR); + + /* Note that if the target option is set, pwd will contain the target + account instead of applicant's account now */ /* get regulating group */ if ((group = openpam_get_option(pamh, "group")) == NULL) >Release-Note: >Audit-Trail: >Unformatted: